npm - create-forgeon - Versions diffs - 0.3.16 → 0.3.17 - Mend

create-forgeon 0.3.16 → 0.3.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (107) hide show

package/templates/module-presets/accounts/packages/accounts-api/src/auth-core.service.ts ADDED Viewed

@@ -0,0 +1,318 @@
+import crypto from 'node:crypto';
+import {
+  BadRequestException,
+  ConflictException,
+  Inject,
+  Injectable,
+  UnauthorizedException,
+} from '@nestjs/common';
+import type {
+  AuthSessionResponse,
+  RegisterRequest,
+  UserRecordDto,
+} from '@forgeon/accounts-contracts';
+import { ACCOUNTS_EMAIL_PORT, type AccountsEmailPort } from './accounts-email.port';
+import {
+  ACCOUNTS_PERSISTENCE_PORT,
+  type AccountsPersistencePort,
+} from './accounts-persistence.port';
+import { AuthJwtService } from './auth-jwt.service';
+import { AuthPasswordService } from './auth-password.service';
+import type { AuthRefreshTokenPayload } from './auth.types';
+import { UsersService } from './users.service';
+import { toUserRecordDto } from './users.types';
+const AUTH_ERROR_CODES = {
+  invalidCredentials: 'AUTH_INVALID_CREDENTIALS',
+  refreshInvalid: 'AUTH_REFRESH_INVALID',
+  tokenExpired: 'AUTH_TOKEN_EXPIRED',
+  emailTaken: 'AUTH_EMAIL_TAKEN',
+  accountDisabled: 'AUTH_ACCOUNT_DISABLED',
+} as const;
+@Injectable()
+export class AuthCoreService {
+  constructor(
+    @Inject(ACCOUNTS_PERSISTENCE_PORT)
+    private readonly persistence: AccountsPersistencePort,
+    @Inject(ACCOUNTS_EMAIL_PORT)
+    private readonly emailPort: AccountsEmailPort,
+    private readonly authJwtService: AuthJwtService,
+    private readonly authPasswordService: AuthPasswordService,
+    private readonly usersService: UsersService,
+  ) {}
+  async registerWithPassword(input: RegisterRequest): Promise<AuthSessionResponse> {
+    const email = input.email.trim().toLowerCase();
+    const existing = await this.persistence.findPasswordAccountByEmail(email);
+    if (existing) {
+      throw new ConflictException({
+        message: 'Email is already registered',
+        details: { code: AUTH_ERROR_CODES.emailTaken },
+      });
+    }
+    const passwordHash = await this.authPasswordService.hash(input.password);
+    const account = await this.persistence.createPasswordAccount({
+      email,
+      passwordHash,
+      status: 'active',
+      userData: this.usersService.resolveUserData(input.user),
+      profile: {
+        name: this.readNullableString(input.profile, 'name'),
+        avatar: this.readNullableString(input.profile, 'avatar'),
+        data: this.usersService.resolveProfileData(this.readNestedObject(input.profile, 'data')),
+      },
+      settings: {
+        theme: this.readNullableString(input.settings, 'theme'),
+        locale: this.readNullableString(input.settings, 'locale'),
+        data: this.usersService.resolveSettingsData(this.readNestedObject(input.settings, 'data')),
+      },
+    });
+    const verificationToken = this.createStubToken('verify', account.id);
+    await Promise.all([
+      this.emailPort.sendVerificationEmail({
+        email,
+        token: verificationToken,
+        userId: account.id,
+      }),
+      this.emailPort.sendWelcomeEmail({
+        email,
+        userId: account.id,
+      }),
+    ]);
+    return this.issueSession(toUserRecordDto(account));
+  }
+  async loginWithPassword(emailInput: string, password: string): Promise<AuthSessionResponse> {
+    const email = emailInput.trim().toLowerCase();
+    const account = await this.persistence.findPasswordAccountByEmail(email);
+    if (!account?.passwordHash) {
+      throw this.invalidCredentialsError();
+    }
+    this.assertAccountActive(account);
+    const matched = await this.authPasswordService.verify(password, account.passwordHash);
+    if (!matched) {
+      throw this.invalidCredentialsError();
+    }
+    return this.issueSession(toUserRecordDto(account));
+  }
+  async refreshTokens(refreshToken: string): Promise<AuthSessionResponse> {
+    let payload: AuthRefreshTokenPayload;
+    try {
+      payload = await this.authJwtService.verifyRefreshToken(refreshToken);
+    } catch (error) {
+      const code =
+        error instanceof Error && error.name === 'TokenExpiredError'
+          ? AUTH_ERROR_CODES.tokenExpired
+          : AUTH_ERROR_CODES.refreshInvalid;
+      throw new UnauthorizedException({
+        message: 'Refresh token is invalid or expired',
+        details: { code },
+      });
+    }
+    const record = await this.persistence.findRefreshTokenById(payload.jti);
+    if (!record || record.revokedAt || record.userId !== payload.sub || record.expiresAt <= new Date()) {
+      throw new UnauthorizedException({
+        message: 'Refresh token is invalid or expired',
+        details: { code: AUTH_ERROR_CODES.refreshInvalid },
+      });
+    }
+    const matched = await this.authPasswordService.verify(refreshToken, record.tokenHash);
+    if (!matched) {
+      await this.persistence.revokeRefreshToken(record.id, new Date());
+      throw new UnauthorizedException({
+        message: 'Refresh token is invalid or expired',
+        details: { code: AUTH_ERROR_CODES.refreshInvalid },
+      });
+    }
+    const account = await this.persistence.findAccountByUserId(payload.sub);
+    if (!account) {
+      throw new UnauthorizedException({
+        message: 'Refresh token is invalid or expired',
+        details: { code: AUTH_ERROR_CODES.refreshInvalid },
+      });
+    }
+    this.assertAccountActive(account);
+    await this.persistence.revokeRefreshToken(record.id, new Date());
+    return this.issueSession(toUserRecordDto(account));
+  }
+  async logout(userId: string, refreshToken: string): Promise<void> {
+    const payload = await this.authJwtService.verifyRefreshToken(refreshToken);
+    if (payload.sub !== userId) {
+      throw new UnauthorizedException({
+        message: 'Refresh token does not belong to the current user',
+        details: { code: AUTH_ERROR_CODES.refreshInvalid },
+      });
+    }
+    await this.persistence.revokeRefreshToken(payload.jti, new Date());
+  }
+  async changePassword(userId: string, newPassword: string): Promise<void> {
+    const passwordHash = await this.authPasswordService.hash(newPassword);
+    await this.persistence.updatePassword(userId, passwordHash);
+    await this.persistence.revokeRefreshTokensForUser(userId, new Date());
+  }
+  async requestPasswordReset(emailInput: string) {
+    const email = emailInput.trim().toLowerCase();
+    const account = await this.persistence.findPasswordAccountByEmail(email);
+    if (account) {
+      await this.emailPort.sendPasswordResetEmail({
+        email,
+        token: this.createStubToken('reset', account.id),
+        userId: account.id,
+      });
+    }
+    return {
+      status: 'accepted',
+      delivery: 'stub',
+    };
+  }
+  async resetPassword(token: string, newPassword: string) {
+    if (token.trim().length < 8) {
+      throw new BadRequestException('Reset token is invalid');
+    }
+    return {
+      status: 'accepted',
+      delivery: 'stub',
+      nextAction: 'emails-module',
+      passwordLength: newPassword.length,
+    };
+  }
+  async verifyEmail(token: string) {
+    if (token.trim().length < 8) {
+      throw new BadRequestException('Verification token is invalid');
+    }
+    return {
+      status: 'accepted',
+      delivery: 'stub',
+      nextAction: 'emails-module',
+    };
+  }
+  async me(userId: string): Promise<{ user: UserRecordDto }> {
+    const user = await this.usersService.getByIdOrThrow(userId);
+    return { user };
+  }
+  getProbeStatus() {
+    return {
+      status: 'ok',
+      feature: 'accounts',
+      storage: 'db-adapter',
+      emailDelivery: 'stub',
+      selfServiceRoutes: [
+        '/api/users/:id',
+        '/api/users/:id/profile',
+        '/api/users/:id/settings',
+      ],
+    };
+  }
+  private async issueSession(user: UserRecordDto): Promise<AuthSessionResponse> {
+    const refreshId = crypto.randomUUID();
+    const [accessToken, refreshToken] = await Promise.all([
+      this.authJwtService.signAccessToken({
+        sub: user.id,
+        email: user.email ?? undefined,
+        type: 'access',
+      }),
+      this.authJwtService.signRefreshToken({
+        sub: user.id,
+        email: user.email ?? undefined,
+        jti: refreshId,
+        type: 'refresh',
+      }),
+    ]);
+    const tokenHash = await this.authPasswordService.hash(refreshToken);
+    await this.persistence.createRefreshToken({
+      id: refreshId,
+      userId: user.id,
+      tokenHash,
+      expiresAt: this.toExpiresAt(this.authJwtService.refreshTtl),
+    });
+    return {
+      accessToken,
+      refreshToken,
+      tokenType: 'Bearer',
+      accessTtl: this.authJwtService.accessTtl,
+      refreshTtl: this.authJwtService.refreshTtl,
+      user,
+    };
+  }
+  private assertAccountActive(user: { status: string; deletedAt: Date | null }) {
+    if (user.deletedAt || user.status !== 'active') {
+      throw new UnauthorizedException({
+        message: 'Account is not active',
+        details: { code: AUTH_ERROR_CODES.accountDisabled },
+      });
+    }
+  }
+  private invalidCredentialsError() {
+    return new UnauthorizedException({
+      message: 'Invalid credentials',
+      details: { code: AUTH_ERROR_CODES.invalidCredentials },
+    });
+  }
+  private createStubToken(kind: string, userId: string): string {
+    return `stub-${kind}-${userId}-${Date.now()}`;
+  }
+  private readNullableString(input: unknown, key: string): string | null {
+    if (!input || typeof input !== 'object' || Array.isArray(input)) {
+      return null;
+    }
+    const value = (input as Record<string, unknown>)[key];
+    return typeof value === 'string' && value.trim().length > 0 ? value.trim() : null;
+  }
+  private readNestedObject(input: unknown, key: string): Record<string, unknown> | null {
+    if (!input || typeof input !== 'object' || Array.isArray(input)) {
+      return null;
+    }
+    const value = (input as Record<string, unknown>)[key];
+    if (!value || typeof value !== 'object' || Array.isArray(value)) {
+      return null;
+    }
+    return value as Record<string, unknown>;
+  }
+  private toExpiresAt(ttl: string): Date {
+    const now = Date.now();
+    const match = ttl.trim().match(/^(\d+)([smhd])$/i);
+    if (!match) {
+      const seconds = Number.parseInt(ttl, 10);
+      return new Date(now + (Number.isFinite(seconds) ? seconds : 7 * 24 * 60 * 60) * 1000);
+    }
+    const amount = Number.parseInt(match[1], 10);
+    const unit = match[2].toLowerCase();
+    const multiplier =
+      unit === 's' ? 1000 : unit === 'm' ? 60_000 : unit === 'h' ? 3_600_000 : 86_400_000;
+    return new Date(now + amount * multiplier);
+  }
+}

package/templates/module-presets/{jwt-auth/packages/auth-api → accounts/packages/accounts-api}/src/auth-env.schema.ts RENAMED Viewed

@@ -6,9 +6,9 @@ export const authEnvSchema = z
     JWT_ACCESS_EXPIRES_IN: z.string().trim().min(2).default('15m'),
     JWT_REFRESH_SECRET: z.string().trim().min(16).default('forgeon-refresh-secret-change-me'),
     JWT_REFRESH_EXPIRES_IN: z.string().trim().min(2).default('7d'),
-    AUTH_BCRYPT_ROUNDS: z.coerce.number().int().min(4).max(15).default(10),
-    AUTH_DEMO_EMAIL: z.string().trim().email().default('demo@forgeon.local'),
-    AUTH_DEMO_PASSWORD: z.string().min(8).default('forgeon-demo-password'),
+    AUTH_ARGON2_MEMORY_COST: z.coerce.number().int().min(1024).default(19456),
+    AUTH_ARGON2_TIME_COST: z.coerce.number().int().min(1).default(2),
+    AUTH_ARGON2_PARALLELISM: z.coerce.number().int().min(1).default(1)
   })
   .passthrough();
@@ -16,4 +16,4 @@ export type AuthEnv = z.infer<typeof authEnvSchema>;
 export function parseAuthEnv(input: Record<string, unknown>): AuthEnv {
   return authEnvSchema.parse(input);
-}
+}

package/templates/module-presets/accounts/packages/accounts-api/src/auth-jwt.service.ts ADDED Viewed

@@ -0,0 +1,58 @@
+import { Injectable } from '@nestjs/common';
+import { JwtService } from '@nestjs/jwt';
+import type { JwtSignOptions } from '@nestjs/jwt';
+import type { AuthAccessClaims, AuthRefreshClaims } from '@forgeon/accounts-contracts';
+import { AuthConfigService } from './auth-config.service';
+import type { AuthAccessTokenPayload, AuthRefreshTokenPayload } from './auth.types';
+type JwtExpiresIn = NonNullable<JwtSignOptions['expiresIn']>;
+@Injectable()
+export class AuthJwtService {
+  constructor(
+    private readonly jwtService: JwtService,
+    private readonly authConfigService: AuthConfigService,
+  ) {}
+  signAccessToken(payload: AuthAccessClaims): Promise<string> {
+    return this.jwtService.signAsync(payload, {
+      secret: this.authConfigService.accessSecret,
+      expiresIn: this.toJwtExpiresIn(this.authConfigService.accessExpiresIn),
+    });
+  }
+  signRefreshToken(payload: AuthRefreshClaims): Promise<string> {
+    return this.jwtService.signAsync(payload, {
+      secret: this.authConfigService.refreshSecret,
+      expiresIn: this.toJwtExpiresIn(this.authConfigService.refreshExpiresIn),
+    });
+  }
+  verifyAccessToken(token: string): Promise<AuthAccessTokenPayload> {
+    return this.jwtService.verifyAsync<AuthAccessTokenPayload>(token, {
+      secret: this.authConfigService.accessSecret,
+    });
+  }
+  verifyRefreshToken(token: string): Promise<AuthRefreshTokenPayload> {
+    return this.jwtService.verifyAsync<AuthRefreshTokenPayload>(token, {
+      secret: this.authConfigService.refreshSecret,
+    });
+  }
+  get accessTtl(): string {
+    return this.authConfigService.accessExpiresIn;
+  }
+  get refreshTtl(): string {
+    return this.authConfigService.refreshExpiresIn;
+  }
+  private toJwtExpiresIn(value: string): JwtExpiresIn {
+    const trimmed = value.trim();
+    if (/^\d+$/.test(trimmed)) {
+      return Number(trimmed);
+    }
+    return trimmed as JwtExpiresIn;
+  }
+}

package/templates/module-presets/accounts/packages/accounts-api/src/auth-password.service.ts ADDED Viewed

@@ -0,0 +1,21 @@
+import argon2 from 'argon2';
+import { Injectable } from '@nestjs/common';
+import { AuthConfigService } from './auth-config.service';
+@Injectable()
+export class AuthPasswordService {
+  constructor(private readonly authConfigService: AuthConfigService) {}
+  hash(password: string): Promise<string> {
+    return argon2.hash(password, {
+      type: argon2.argon2id,
+      memoryCost: this.authConfigService.argon2MemoryCost,
+      timeCost: this.authConfigService.argon2TimeCost,
+      parallelism: this.authConfigService.argon2Parallelism,
+    });
+  }
+  verify(password: string, hash: string): Promise<boolean> {
+    return argon2.verify(hash, password);
+  }
+}

package/templates/module-presets/accounts/packages/accounts-api/src/auth.controller.ts ADDED Viewed

@@ -0,0 +1,93 @@
+import {
+  Body,
+  Controller,
+  Get,
+  Post,
+  Req,
+  UseGuards,
+} from '@nestjs/common';
+import { AuthService } from './auth.service';
+import {
+  ChangePasswordDto,
+  ConfirmPasswordResetDto,
+  LoginDto,
+  RefreshDto,
+  RegisterDto,
+  RequestPasswordResetDto,
+  VerifyEmailDto,
+} from './dto';
+import { JwtAuthGuard } from './access-token.guard';
+import type { AuthAccessTokenPayload } from './auth.types';
+type RequestWithUser = { user?: AuthAccessTokenPayload };
+@Controller('auth')
+export class AuthController {
+  constructor(private readonly authService: AuthService) {}
+  @Post('register')
+  register(@Body() body: RegisterDto) {
+    return this.authService.register(body);
+  }
+  @Post('login')
+  login(@Body() body: LoginDto) {
+    return this.authService.login(body);
+  }
+  @Post('refresh')
+  refresh(@Body() body: RefreshDto) {
+    return this.authService.refresh(body);
+  }
+  @UseGuards(JwtAuthGuard)
+  @Post('logout')
+  async logout(@Body() body: RefreshDto, @Req() request: RequestWithUser) {
+    const user = this.getRequestUser(request);
+    await this.authService.logout(user.sub, body.refreshToken);
+    return { status: 'ok' };
+  }
+  @UseGuards(JwtAuthGuard)
+  @Get('me')
+  me(@Req() request: RequestWithUser) {
+    const user = this.getRequestUser(request);
+    return this.authService.me(user.sub);
+  }
+  @UseGuards(JwtAuthGuard)
+  @Post('change-password')
+  async changePassword(@Body() body: ChangePasswordDto, @Req() request: RequestWithUser) {
+    const user = this.getRequestUser(request);
+    await this.authService.changePassword(user.sub, body.newPassword);
+    return { status: 'ok' };
+  }
+  @Post('verify-email')
+  verifyEmail(@Body() body: VerifyEmailDto) {
+    return this.authService.verifyEmail(body.token);
+  }
+  @Post('password-reset/request')
+  requestPasswordReset(@Body() body: RequestPasswordResetDto) {
+    return this.authService.requestPasswordReset(body.email);
+  }
+  @Post('password-reset/confirm')
+  confirmPasswordReset(@Body() body: ConfirmPasswordResetDto) {
+    return this.authService.resetPassword(body.token, body.newPassword);
+  }
+  private getRequestUser(request: RequestWithUser): AuthAccessTokenPayload {
+    const user = request.user;
+    if (!user?.sub) {
+      return {
+        sub: 'unknown',
+        email: 'unknown@invalid.local',
+        type: 'access',
+      };
+    }
+    return user;
+  }
+}

package/templates/module-presets/accounts/packages/accounts-api/src/auth.service.ts ADDED Viewed

@@ -0,0 +1,48 @@
+import { Injectable } from '@nestjs/common';
+import type { RegisterRequest } from '@forgeon/accounts-contracts';
+import { AuthCoreService } from './auth-core.service';
+@Injectable()
+export class AuthService {
+  constructor(private readonly authCoreService: AuthCoreService) {}
+  register(input: RegisterRequest) {
+    return this.authCoreService.registerWithPassword(input);
+  }
+  login(input: { email: string; password: string }) {
+    return this.authCoreService.loginWithPassword(input.email, input.password);
+  }
+  refresh(input: { refreshToken: string }) {
+    return this.authCoreService.refreshTokens(input.refreshToken);
+  }
+  logout(userId: string, refreshToken: string) {
+    return this.authCoreService.logout(userId, refreshToken);
+  }
+  changePassword(userId: string, newPassword: string) {
+    return this.authCoreService.changePassword(userId, newPassword);
+  }
+  requestPasswordReset(email: string) {
+    return this.authCoreService.requestPasswordReset(email);
+  }
+  resetPassword(token: string, newPassword: string) {
+    return this.authCoreService.resetPassword(token, newPassword);
+  }
+  verifyEmail(token: string) {
+    return this.authCoreService.verifyEmail(token);
+  }
+  me(userId: string) {
+    return this.authCoreService.me(userId);
+  }
+  getProbeStatus() {
+    return this.authCoreService.getProbeStatus();
+  }
+}

package/templates/module-presets/accounts/packages/accounts-api/src/auth.types.ts ADDED Viewed

@@ -0,0 +1,17 @@
+import type { AuthAccessClaims, AuthRefreshClaims, IdentityProvider } from '@forgeon/accounts-contracts';
+export interface AuthAccessTokenPayload extends AuthAccessClaims {
+  iat?: number;
+  exp?: number;
+}
+export interface AuthRefreshTokenPayload extends AuthRefreshClaims {
+  iat?: number;
+  exp?: number;
+}
+export interface AuthProfile {
+  provider: IdentityProvider;
+  providerId: string;
+  email?: string;
+}

package/templates/module-presets/accounts/packages/accounts-api/src/dto/change-password.dto.ts ADDED Viewed

@@ -0,0 +1,13 @@
+import type { ChangePasswordRequest } from '@forgeon/accounts-contracts';
+import { IsOptional, IsString, MinLength } from 'class-validator';
+export class ChangePasswordDto implements ChangePasswordRequest {
+  @IsOptional()
+  @IsString()
+  @MinLength(8)
+  currentPassword?: string;
+  @IsString()
+  @MinLength(8)
+  newPassword!: string;
+}

package/templates/module-presets/accounts/packages/accounts-api/src/dto/confirm-password-reset.dto.ts ADDED Viewed

@@ -0,0 +1,12 @@
+import type { ConfirmPasswordResetRequest } from '@forgeon/accounts-contracts';
+import { IsString, MinLength } from 'class-validator';
+export class ConfirmPasswordResetDto implements ConfirmPasswordResetRequest {
+  @IsString()
+  @MinLength(8)
+  token!: string;
+  @IsString()
+  @MinLength(8)
+  newPassword!: string;
+}

package/templates/module-presets/accounts/packages/accounts-api/src/dto/index.ts ADDED Viewed

@@ -0,0 +1,10 @@
+export * from './change-password.dto';
+export * from './confirm-password-reset.dto';
+export * from './login.dto';
+export * from './refresh.dto';
+export * from './register.dto';
+export * from './request-password-reset.dto';
+export * from './update-user-profile.dto';
+export * from './update-user-settings.dto';
+export * from './update-user.dto';
+export * from './verify-email.dto';

package/templates/module-presets/{jwt-auth/packages/auth-api → accounts/packages/accounts-api}/src/dto/login.dto.ts RENAMED Viewed

@@ -1,4 +1,4 @@
-import type { LoginRequest } from '@forgeon/auth-contracts';
+import type { LoginRequest } from '@forgeon/accounts-contracts';
 import { IsEmail, IsString, MinLength } from 'class-validator';
 export class LoginDto implements LoginRequest {

package/templates/module-presets/{jwt-auth/packages/auth-api → accounts/packages/accounts-api}/src/dto/refresh.dto.ts RENAMED Viewed

@@ -1,4 +1,4 @@
-import type { RefreshRequest } from '@forgeon/auth-contracts';
+import type { RefreshRequest } from '@forgeon/accounts-contracts';
 import { IsString, MinLength } from 'class-validator';
 export class RefreshDto implements RefreshRequest {

package/templates/module-presets/accounts/packages/accounts-api/src/dto/register.dto.ts ADDED Viewed

@@ -0,0 +1,23 @@
+import type { RegisterRequest } from '@forgeon/accounts-contracts';
+import { IsEmail, IsObject, IsOptional, IsString, MinLength } from 'class-validator';
+export class RegisterDto implements RegisterRequest {
+  @IsEmail()
+  email!: string;
+  @IsString()
+  @MinLength(8)
+  password!: string;
+  @IsOptional()
+  @IsObject()
+  user?: Record<string, unknown>;
+  @IsOptional()
+  @IsObject()
+  profile?: Record<string, unknown>;
+  @IsOptional()
+  @IsObject()
+  settings?: Record<string, unknown>;
+}

package/templates/module-presets/accounts/packages/accounts-api/src/dto/request-password-reset.dto.ts ADDED Viewed

@@ -0,0 +1,7 @@
+import type { RequestPasswordResetRequest } from '@forgeon/accounts-contracts';
+import { IsEmail } from 'class-validator';
+export class RequestPasswordResetDto implements RequestPasswordResetRequest {
+  @IsEmail()
+  email!: string;
+}

package/templates/module-presets/accounts/packages/accounts-api/src/dto/update-user-profile.dto.ts ADDED Viewed

@@ -0,0 +1,16 @@
+import type { UpdateUserProfileRequest } from '@forgeon/accounts-contracts';
+import { IsObject, IsOptional, IsString } from 'class-validator';
+export class UpdateUserProfileDto implements UpdateUserProfileRequest {
+  @IsOptional()
+  @IsString()
+  name?: string | null;
+  @IsOptional()
+  @IsString()
+  avatar?: string | null;
+  @IsOptional()
+  @IsObject()
+  data?: Record<string, unknown>;
+}